Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
Resource
win10v2004-20231127-en
General
-
Target
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
-
Size
1.9MB
-
MD5
ea943c8c9043537a9cc37badbbddc4b3
-
SHA1
d5ce8a130a9ee8cb18f48b8c00916d2d970469c3
-
SHA256
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b
-
SHA512
7a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5
-
SSDEEP
49152:77QMGIEr2hyyU/sQaIbd/HA/XXO5YbQBIEbrGygStXBqxoXbrSIQ5kBGFDgl:75GIE6XU/sQDd4/e5YkBIEbrGygSZr97
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/4988-2-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat -
Executes dropped EXE 2 IoCs
pid Process 2824 mstcs.exe 4976 mstcs.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\1.bin 60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe File opened for modification C:\WINDOWS\SysWOW64\1.bin mstcs.exe File opened for modification C:\WINDOWS\SysWOW64\1.bin mstcs.exe -
Modifies data under HKEY_USERS 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" mstcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System mstcs.exe Key created \REGISTRY\USER\.DEFAULT\Software mstcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mstcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mstcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mstcs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies mstcs.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4988 60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4988 60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe Token: SeDebugPrivilege 2824 mstcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4988 60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe 2824 mstcs.exe 4976 mstcs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2824 wrote to memory of 4976 2824 mstcs.exe 89 PID 2824 wrote to memory of 4976 2824 mstcs.exe 89 PID 2824 wrote to memory of 4976 2824 mstcs.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe"C:\Users\Admin\AppData\Local\Temp\60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988
-
C:\ProgramData\mstcs.exeC:\ProgramData\mstcs.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\ProgramData\mstcs.exeC:\ProgramData\mstcs.exe Win72⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ea943c8c9043537a9cc37badbbddc4b3
SHA1d5ce8a130a9ee8cb18f48b8c00916d2d970469c3
SHA25660588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b
SHA5127a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5
-
Filesize
1.9MB
MD5ea943c8c9043537a9cc37badbbddc4b3
SHA1d5ce8a130a9ee8cb18f48b8c00916d2d970469c3
SHA25660588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b
SHA5127a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5
-
Filesize
1.9MB
MD5ea943c8c9043537a9cc37badbbddc4b3
SHA1d5ce8a130a9ee8cb18f48b8c00916d2d970469c3
SHA25660588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b
SHA5127a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5
-
Filesize
209KB
MD5ea94693251b561ca1b82696496c22e3a
SHA1ab0dba7fcadc9d6f4d283b6020f4c87fd5d4a014
SHA2560a60a014d9f05c78aa50c783a7600f87b5c839edc8698c4f34b401e17be53c8b
SHA512ce8dfb1f9c45dd488555256b3f599f4c3124179bcd8ef017157a3549a6fbb8da7cd364cb980f436c6cdced0774fa996683f6d6ea24ee346cfd1cab5d75fd5177
-
Filesize
209KB
MD5ea94693251b561ca1b82696496c22e3a
SHA1ab0dba7fcadc9d6f4d283b6020f4c87fd5d4a014
SHA2560a60a014d9f05c78aa50c783a7600f87b5c839edc8698c4f34b401e17be53c8b
SHA512ce8dfb1f9c45dd488555256b3f599f4c3124179bcd8ef017157a3549a6fbb8da7cd364cb980f436c6cdced0774fa996683f6d6ea24ee346cfd1cab5d75fd5177